Rack Multipart Parser Boundary Parameter Misinterpretation Vulnerability

A vulnerability exists in Rack's handling of multipart/form-data uploads, specifically in versions prior to 2.2.23, 3.1.21, and 3.2.6. The issue arises because Rack::Multipart::Parser uses a greedy regular expression to extract the boundary parameter from the Content-Type header. When multiple boundary parameters are present, Rack incorrectly selects the last one instead of the first. This can lead to a mismatch where an upstream proxy or web application firewall (WAF) interprets the first boundary, allowing an attacker to bypass upstream content inspection and manipulate how Rack parses the request body. The vulnerability is most concerning in deployments where security decisions are made before the request reaches Rack.

Impact

Exploiting this vulnerability can bypass upstream filtering of multipart uploads, allowing malicious files or form fields to be accepted by the application without proper inspection. The actual impact depends on the application's handling of the uploaded content and the presence of any vulnerabilities that could be exploited using the smuggled data.

Remediation

Users are advised to update Rack to version 2.2.23, 3.1.21, or 3.2.6, all of which address the vulnerability by properly handling ambiguous multipart Content-Type headers. In addition, requests with multiple boundary parameters can be rejected, or multipart metadata can be normalized at the trusted edge before reaching Rack. It is also recommended to avoid relying on upstream inspection of malformed multipart requests unless parameter handling is consistent across all components.